The Secure Sockets Layer (SSL) is another VPN technology that serves as an alternative to IPsec. All modern web browsers support SSL which means it is readily available on virtually all computers. SSL is used to create a secure connection from the web browser to a web server to support secure online access to emails, data, and bank accounts. We will discuss a few details about how can SSL be used to create remote access VPNs.
Web browsers use Hyper Text Transfer Protocol (HTTP) to connect to web servers that listen on TCP port 80 by default. However HTTP is a plain text protocol which means it is relatively easy for someone to read the data in transit and is not suited for any application that requires confidentiality. Therefore, when the communications between web browser and server need to be secure, the browser automatically switches to SSL. SSL uses port number 443, encrypting data exchanged between the browser and the server as well as authenticating the user. Normal HTTP messages then flow over the SSL VPN thus established.
Web browsers are commonly used to create secure web browsing sessions using built-in SSL functionality. However, the SSL technology is not limited to securing web browsing sessions. The same technology can also be used to create remote access VPNs using, for example, the Cisco VPN client. The Cisco AnyConnect VPN client is a software that can be installed on a PC and uses SSL to create the client side of a remote-access VPN. As a result, all packets sent to the other end of the VPN are encrypted, not just the packets sent over a single HTTP session in a web browser.
A web server can be the end point of an SSL connection from a web browser. However, often the server side of the SSL tunnel terminates on specialized VPN devices such as the Cisco ASA.
Secure Sockets Layer (SSL) and IP Security (IPsec) are important security technologies and we here present a short comparison of the two:
Table 12-3 IPsec Versus SSL
| Feature | SSL | IPsec |
| Encryption | Moderate | Stronger |
| Key Length | 40 – 128 bits | 56 – 256 bits |
| Authentication | Moderate (one-way or two-way authentication) | Strong (two-way authentication using shared secrets or digital certificates) |
| Ease of use | Very high | Moderate |
| Applications | Web-based applications, file sharing, email | Support for all IP-based applications |
| Overall Security | Moderate | Strong |
We now present a few options for tunneling IP packets and then cover one of those tunneling options in detail.
IP Tunneling Protocols
In this section, we provide a brief introduction to a few other IP tunneling protocols that can be used to build VPNs:
- Layer 2 Forwarding (L2F): It is a tunneling protocol developed by Cisco that is used to establish VPN connections over the Internet. L2F is a bare bones tunneling protocol and does not provide encryption by itself. It rather relies on the protocol being tunneled to provide encryption and confidentiality. L2F was designed for tunneling point-to-point protocol (PPP) traffic.
- Point-to-Point Tunneling Protocol (PPTP): PPTP is another means to create virtual private networks. It uses a control channel over TCP to send control packets and a GRE tunnel to encapsulate PPP data packets. The PPTP specification does not describe encryption or authentication and relies on the tunneled PPP to implement security. However, the most common PPTP implementation in Microsoft Windows products does provide authentication and encryption.
- Layer 2 Tunnel Protocol (L2TP): L2TP is an Internet Engineering Task Force (IETF) standard that combines the best features of Cisco Layer 2 Forwarding (L2F) and Microsoft Point-to-Point Tunneling Protocol (PPTP).
- Generic Routing Encapsulation (GRE): GRE is a tunneling protocol developed by Cisco that can be used to encapsulate a wide variety of other protocols inside IP tunnels. GRE is the Swiss Army knife of tunneling protocols as it can be used to create a virtual point-to-point link between end point devices over an IP network that can carry data packets from a variety of different protocols.